Description of problem: === Ansible installer deploy router pods on region=infra by default. However, it seems that it doesn't deploy pod with /etc/origin/master/openshift-router.kubeconfig. bz#1282822 can provde this. The error is not produced without /etc/origin/master/openshift-router.kubeconfig. - a) router deployed by installer - b) router deployed by "oadm router" (without --credentials) - c) router deployed by "oadm router --credentials='/etc/origin/master/openshift-router.kubeconfig'" c) can produce error [1], but a) and b) doesn't prouduce the error. NOTE: So, c) needs "oadm policy add-cluster-role-to-user cluster-reader system:openshift-router" Version-Release number of selected component (if applicable): === 3.x How reproducible: === Deploy router with ansible innstaller Steps to Reproduce: --- 1. Run ansible installer and deploy router 2. Configure "Router Shards" *without* "oadm policy add-cluster-role-to-user cluster-reader system:openshift-router" Actual results: === It should not work, since "system:openshift-router" doesn't have the permission to list namespace by default. Expected results: === - Router shards failed, but it will work after adding "oadm policy add-cluster-role-to-user cluster-reader system:openshift-router" --- [1] E0116 09:55:49.535424 1 controller.go:75] unable to find namespaces for router: User "system:openshift-router" cannot list all namespaces in the cluster [2] Router Shards https://docs.openshift.com/container-platform/3.3/install_config/router/default_haproxy_router.html#using-router-shards
Phil, I see that you wrote much of the documentation related to router shards. What's the best way for us to be installing the router such that it works for sharding and ideally works in normal scenarios? Should we always grant the cluster-reader role to openshift-router?
Could you please let us know what procedure is correct and how you are planning to fix this issue? The customer needs to standardize the steps.
Scott, I am not up on the policy stuff. It appears that we need to have cluster-reader but I am not sure it should be set up by default. Maybe Clayton or Jordan could comment. I am not sure sharding vs regular is all that different. Usually the routers are set up in default namespace and the routes are set up in some project namespace. phil
Jordan, Thoughts on granting the router SA cluster reader?
we should not be deploying with --credentials any more the router command grants required permissions to the router's service account
We don't for 3.2 and later.
> we should not be deploying with --credentials any more So, all docs have to be updated.. https://docs.openshift.com/container-platform/3.3/install_config/router/default_haproxy_router.html Also, there are some mysterious remains... - Why you didn't remove --credentials options from "oadm router" command? - Is "/etc/origin/master/openshift-router.kubeconfig" necessary to deploy during the installation?
> - Is "/etc/origin/master/openshift-router.kubeconfig" necessary to deploy during the installation? I meant that openshift-router.kubeconfig should not be deployed. I think it is not used by any services.
--credentials is there for customers that want to provide their own certificates.
You mean that if we use own certs, we need to specify openshift-router.kubeconfig with --credentials? In that case, cluster-reader would be necessary to add. So complicated... It is not possible to simplify this?
In order to use NAMESPACE_LABELS you need to follow the instructions at https://docs.openshift.com/enterprise/3.2/install_config/install/deploy_router.html#creating-the-router-service-account to give the router sufficient privilege to read the namespace objects. You then need to set the NAMESPACE_LABELS environment variable on the router dc to tell it what labels to read. There are many other environment variables that it probably makes sense to allow people to set as well, so I think this request is larger in scope. So we should probably work out how we want to handle setting arbitrary environment variables on the router (or whether we want to expose ansible settings for all of them) before rushing into changing this. And if the NAMESPACE_LABELS are set, should we grant the permission automtically, or require them to specify that separately?
We need to work out the strategy that we want to take for all of the router features. I've added card https://trello.com/c/FUwFD0P3 to track this feature.
This bug has been identified as a dated (created more than 3 months ago) bug. This bug has been triaged (has a trello card linked to it), or reviewed by Engineering/PM and has been put into the product backlog, however this bug has not been slated for a currently planned release (3.9, 3.10 or 3.11), which cover our releases for the rest of the calendar year. As a result of this bugs age, state on the current roadmap and PM Score (being below 70), this bug is being Closed - Differed, as it is currently not part of the products immediate priorities. Please see: https://docs.google.com/document/d/1zdqF4rB3ea8GmVIZ7qWCVYUaQ7-EexUrQEF0MTwdDkw/edit for more details.